By default, DigiCert Code Signing Certificates are SHA256. If you are a DigiCert customer, getting a SHA1 version of your Code Signing Certificate is fairly easy. You just need to re-key your certificate from in your online account.

Note for Sun Java Platform Only: Create your Certificate Signing Request (CSR) before following the steps in this section. Sun Java is the only platform for which you are required to submit a CSR.

How to Get a SHA1 Version of Your Code Signing Certificate (Re-key)

In your DigiCert account, select the My Orders tab, and then click the Order # for your Code Signing Certificate.

Click the Click to upload a CSR link to browse for, select, and open your CSR file.

Paste your CSR

Use a text editor to open your CSR file. Then, copy the text, including the -----BEGIN NEW CERTIFICATE REQUEST----- and -----END NEW CERTIFICATE REQUEST----- tags, and paste it in to the request form in the area provided.

Select Your Server Platform

In the list of server platforms, select the platform for which your Code Signing Certificate is to be used.

Reason for Reissue/Re-Key (Optional)

In the box, specify the reason for the certificate reissue.

Advanced Options

Click +Advanced Options and then uncheck the Use a SHA-2 signature hash algorithm box.

When you are finished, click Continue to Next Step.

On the Reissue – Order # page, click Submit Request.

The certificate requestor of the reissued code signing certificate is sent an email with the subject line: Reissue Your DigiCert Code Signing Certificate (Order #).

Verifying Your SHA1 and SHA256 Code Signing Certificates

Once you've installed both versions of the Code Signing Certificate on your device (e.g., laptop), you need to determine which certificate is the SHA256 and which is the SHA1. We recommend using our DigiCert® Certificate Utility for Windows to make the verification process easier.

How to Verify the SHA1 and SHA2 Versions of Your Code Signing Certificates

Note: Good friendly names can help you easily identify each version of the Code Signing Certificate at a glance.

In the Friendly Name box, enter a unique friendly name for that certificate to help you distinguish it from the other version of the Code Signing Certificate (e.g., yourCompany-SHA256 or yourCompany-SHA1).

When you are finished, click Save.

Repeat steps 3 through 7 to identify the second version of your Code Signing Certificate.

Building the Signing Commands and Signing Your Files

Once both Code Signing Certificates have been identified (SHA256 and SHA1 versions), you need to build the command that you will use to sign your files with both signature hashes (SHA256 and SHA1).

Note: Make sure to use the latest version of SignTool (6.3 or later) to avoid errors. To get SignTool version 10.0, install Windows 10 SDK onto your computer.

How to Get Your Code Signing Certificates' Thumbprints

First you need to get the thumbprint from each version of your Code Signing Certificate (SHA256 and SHA1).

After you receive the message that the thumbprint has been copied to the clipboard, paste the thumbprint for your SHA256 Code Signing Certificate in the text editor.

Repeat the above steps 2 through 4 to get the thumbprint for the SHA1 Code Signing Certificate.

Important: Make sure to note which thumbprint is the SHA256 and which one is the SHA1.

How to Build the Signing Commands and Sign Your Files

For all SignTool command line options, refer to the Microsoft SignTool documentation. When using the SHA2 timestamp or /fd sha256, make sure to use the latest versions of SignTool (6.3 or later).

Note: In step 2 below, replace XXSHA1CERTTHUMBPRINTXX with the thumbprint from the SHA1 version of your Code Signing Certificate that is in your text editor. Then, replace XXSHA256CERTTHUMBPRINTXX with the thumbprint from the SHA2 version of your Code Signing Certificate that is in your text editor.

Open the Command Prompt as an admin.

On the Windows Start screen/menu, type cmd.

Right-click on Command Prompt and then click Run as administrator.

In the Command Prompt, run the following commands to apply the SHA1 signature and append the SHA256 signature: